Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below. To learn how to remove Antivirus Pro 2009 please see the information at the bottom.
We discovered a new rogue called AntivirusPro 2009. The files are not available on the site (yet).
Site:
File: None yet
SharedNS: None
Note: This site is distributing malicious content. Do not visit, pay, or download the software discussed below.
A few weeks ago we posted about PandaLabs discovery of a YouTube page creator tool used to make fake YouTube pages which distribute malware. Today we came across a new fake YouTube paged used to distribute the Exchanger trojan.
Site: hxxp://neopingoo.org/index14.php
File: pornwvideo3u96.exe
VirusTotal: Result: 13/36 (36.11%)
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
We found new rogue domain today. This time we are greeted with javascript and redirect to a 502 (Bad Gateway).
You may be wondering why we see a 502 error rather than the typical incomplete template.
The redirection takes us to antivirus-scanner.com and that site is hosted by EstBoxes. EstBoxes is a former customer of Atrivo (InterCage). Atrivo was forced to remove EstBoxes as a customer after their last upstream provider (PIE) pulled the plug on them for ignoring abuse complaints about all of the malware and botnets on their network.
So you can thank all of the people that helped take down Atrivo in effort to remove many malicious sites from the internet. Shoutout to the team at HostExploit! You can read their CyberCrime USA whitepaper here.
Site: hxxp://Antivirus-Alert.com
Server Data:
IP Address: 203.117.111.47
IP Location Singapore – Singapore – Starhubinternet
Response Code: 200
Domain Status: Registered And Active Website
It has been 48 hours since we sent our complaint to Plimus regarding their badware producing customer, Antivirus Advance. [original post]
Plimus has not made an attempt to contact us and we *know* they saw the complaint the very morning we posted it.
We checked the site and Antivirus Advance still is being sold through the Plimus e-commerce portal. This is unfortunate because innocent people are being had by this badware product and the only people that could help stop it from being sold will not even reply to our complaint!
I have resubmitted my complaint to Plimus. I hope they reply to me this time! I would like to prevent further actions and resolve this issue on amicable terms. I can be contacted directly at –>lithium@malwaredatabase.net.
**UPDATE**
Plimus has finally contacted me! 
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Site:
hxxp://bestantivirusscan.com/
**Note**
They have made a mistake with the “Download” button. It’s pointing to hxxp://bestantivirusscan.com/2009/download/trial/A9installer_.exe, but the filename is called “A9installer_880221.exe”. It’s only a matter of time before they fix it.
File: A9installer_880221.exe
VirusTotal: Result 1/36 (2.78%)
File size: 139264 bytes
MD5…: deeec29fcbb71fd7ee6682156699cd72
SHA1..: ac7b76b8094518d6b3b7a895bc9828bcf8a75cae
SHA256: b2a7b8cb026cd19b66b071b834d0fecb455b91c29f1ac0f9e167fae03f294ed2
SHA512: 8b307ae0559bdc3c8a0195437924138e991b2c81ac453ca0f169c55bc0266d81
a681d97211c3e349625d0ce4d9509d3ef6b4d295bbbfa2723b194983fc85039a
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Site:
hxxp://scanner-protection.com
hxxp://virus-scan-online.com
File: AV2008install.exe
VirusTotal: Result 5/36 (13.89%)
File size: 186880 bytes
MD5…: 9ca4a84b7d9e074948fa3e3259695e1b
SHA1..: 52bf41bbc39daa7cc729cac49ebbbc4cc1068d79
SHA256: de2564f71fa018dd36b74dafdf7bef26ffc2c1006581b517d45709e364a1f0c8
SHA512: 47a8ab7d0c8567922d97e6d7183ed646a75ec9d42ba37d997fb77de237946ce2
c9c24c8abc1f0be87a39acf48d4e8be41df82303eac0a628832c9a282944af83
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (35.2%)
Win32 Dynamic Link Library (generic) (31.3%)
Win16/32 Executable Delphi generic (8.5%)
Clipper DOS Executable (8.3%)
Generic Win/DOS Executable (8.2%)
Note: This site is distributing Rogue “Fake” Anti-Spam Malware product. Do not visit, pay, or download the software discussed below.
Site: hxxp://spamnuker.com/
File: OutlookSpamNukerInstaller.exe
VirusTotal: Result 14/36 (38.89%)
File size: 29280 bytes
MD5…: 463de2ba97b8effef4b72430de51553b
SHA1..: 1eb9f02c925ef27c5e6a1086cb0c6c798c208eaf
SHA256: 7700a3c6a95ed1bb2dfb21567818c7bce55a5d178b28cc9040c528d7045f72eb
SHA512: b52f87db3390ecd2cd5726c3833c07a224d9c718cc8d4a421faef5f66d3f3a26
25d1a92c7bf288f67e4fba9f1fd63c40fd05b76ea85b149d6019a6a17e428bce
PEiD..: -
TrID..: File type identification
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Sites:
hxxp://total-secure2009.com
hxxp://ns2.total-secure2009.com
hxxp://ns1.total-secure2009.com
File: TotalSecure2009.exe
Result: 3/36 (8.34%)
File size: 2515292 bytes
MD5…: 54393d6eba5d1c08c4ccabcb89d02d0f
SHA1..: b03927f5d03a1145179a36816ef369c64ef4e663
SHA256: b1b52edd39e65dc5d987f82f68ea67c5ebf9db6e282d735c1a619efe1d8bf3c8
SHA512: d9bce19ab027ce24619aacab9adda9cc0e91e438569731259db87d5fb06d20c7
e6a8e9967822f8ed0edb3afe78416264d2d6338c62ef642f64c08f2d4b45ef43
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
